Only one of the issues has so far been patched
Security vulnerabilities in Microsoft Teams could allow an attacker to spoof link previews, leak IP addresses, and even access internal services.
A total of four vulnerabilities in the video conferencing app were discovered by a team of security researchers from Positive Security, who revealed the findings in a blog post released today (December 22).
They “stumbled upon” the issues while researching Team’s URL preview feature for another, unrelated exploit, researcher Fabian Bräunlein told The Daily Swig.
The four findings are a server-side request forgery (SSRF) vulnerability and a URL preview spoofing bug in the web and desktop application, and for Android users, an IP address leak vulnerability and a denial-of-service (DoS) vulnerability.
In the Microsoft Teams URL preview feature, the URL is not filtered, which could lead to a limited SSRF that could leak information such as the response time, code, size, and open graph data, researchers explained.
This could be used for internal port scanning and sending HTTP-based exploits to the discovered web services.
Bräunlein told The Daily Swig: “An attacker could use the SSRF to scan for internal HTTP(s) services and send requests with the Log4Shell payload in the request URI to all of them to try to exploit vulnerable services that are not reachable from the internet.”
The team also explained that the preview link target can be set to any location independent of the main link, preview image and description, the displayed hostname, or hover text.
This could enable a malicious actor to direct the user to a fraudulent website under the guise of the URL displayed on the preview, opening the door to a host of activities.
The researchers also found two security flaws which specifically affected Android users.
Firstly, there is an IP address leak flaw in Android which could, as the name suggests, expose the IP details of the user.
The blog reads: “When creating a link preview, the backend fetches the referenced preview thumbnail and makes it available from a Microsoft domain.
“This ensures that the IP address and user agent data is not leaked when the receiving client loads the thumbnail.
“However, by intercepting the sending of the message, it’s possible to point the thumbnail URL to a non-Microsoft domain.
“The Android client does not check the domain/does not have a CSP restricting the allowed domains and loads the thumbnail image from any domain.”
Secondly, there is a DoS attack vulnerability in the Android version of Teams which could render both the app certain channels unusable with a specifically crafted message.
Open to exploit
Microsoft has so far only patched one of the vulnerabilities, the IP address issue in Android.
Bräunlein said that from the list of the unpatched vulnerabilities, the DoS “could become annoying”, but that the spoofing issue is more likely to be used in serious attacks.
The researcher added: “Regarding the spoofing issue, our advice is to check the URL again in the browser’s address bar after having followed a link. This is always a good idea, but now especially important when the link was opened via Teams.
“We’re not aware of a way for users to protect against the Android DoS. However, in case such a message renders a channel unusable, we suggest to login via Teams’ web/desktop application, delete the malicious message from there, and potentially block the user that sent the message.”
The Daily Swig has reached out to Microsoft for comment on the unpatched vulnerabilities and will update this article accordingly.